Re: 2 questions

Roland Zink <> Mon, 30 March 2015 14:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1F4D81ACEEB for <>; Mon, 30 Mar 2015 07:01:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.113
X-Spam-Status: No, score=-5.113 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JZm7mY9oJZA3 for <>; Mon, 30 Mar 2015 07:01:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4D5171ACEED for <>; Mon, 30 Mar 2015 07:01:27 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1YcaCe-00050Y-Tq for; Mon, 30 Mar 2015 13:58:08 +0000
Resent-Date: Mon, 30 Mar 2015 13:58:08 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.80) (envelope-from <>) id 1YcaCX-0004z1-2t for; Mon, 30 Mar 2015 13:58:01 +0000
Received: from ([]) by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1YcaCO-0003ok-OD for; Mon, 30 Mar 2015 13:57:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1427723849; l=2897; s=domk;; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: Subject:To:MIME-Version:From:Date; bh=Lyvg1BG+ElQAEQN2CVmdq6cP0qM+Osz2NH9qG6qDON8=; b=FLMlhbqjLmmpZKPWmn6rcylJy6SxlNETpQfobMtZErsEoAVSeyt92Biorcx6u/oO1at /AuiXxFGYrblPcyHwhj3FgPwEh/edCZL4+160XGFYNHs+lMgpZhBePubEkoeuTj/4D/7S 82J8fwT46ONbNfMAdqHB2dXlk4nlgDhKgyM=
X-RZG-AUTH: :PmMIdE6sW+WWP9q/oR3Lt+I+9KAK33vRJaCwLQNJU2mlIkBC0t1G+0bSVECAiLyE3y/RHp/qt3BsA9Yuo1YqbQw1VQ==
Received: from [IPv6:2001:4dd0:ff67:0:593d:7e74:b4b7:67c0] ([2001:4dd0:ff67:0:593d:7e74:b4b7:67c0]) by (RZmta 37.4 AUTH) with ESMTPSA id w02056r2UDvTSj0 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256)) (Client did not present a certificate) for <>; Mon, 30 Mar 2015 15:57:29 +0200 (CEST)
Message-ID: <>
Date: Mon, 30 Mar 2015 15:57:33 +0200
From: Roland Zink <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
References: <em10bd3b39-e16a-4627-b277-b3cd147f81fe@bodybag>
In-Reply-To: <em10bd3b39-e16a-4627-b277-b3cd147f81fe@bodybag>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.5
X-W3C-Hub-Spam-Report: AWL=-1.496, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1YcaCO-0003ok-OD 863358ce2a26841856ccd5a235d0c891
Subject: Re: 2 questions
Archived-At: <>
X-Mailing-List: <> archive/latest/29074
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 30.03.2015 14:29, Adrien de Croy wrote:
> well from where I stand there is a certain amount of duress being 
> applied to move people to TLS.
> * browser vendors saying they won't support plaintext (I wonder how 
> long that will last)
me too as this doesn't seem to be much effort
> * not really much effort going into working through issues with 
> plaintext version since it's always supposedly assumed that it won't 
> really be used and people will stick with 1.1 or go to https, and 
> issues will be solved.  Somehow.  Maybe.  Hopefully.
It is easier to upgrade to an http2 capable server than to switch to 
https. So I would prefer to see plaintext http2 as well.
> not many other options have been seriously considered for solving the 
> presumed problem of bad things happening on port 80.  Like moving to 
> another port.  100 is still available.
 From a network perspective this seems to logical thing to do. A 
different port probably means a different URL scheme (http2 lovely), but 
this then shows ossification at the content provider side (not the usual 
middle box claim), so I guess this will not fly.
> It is reasonable to want to avoid bad things but there are other ways 
> than TLS, but thanks to the push to https everywhere now everyone has 
> a MITM that will probably make port 443 just as broken as port 80.  
> Maybe not quite, since I guess ISPs are less likely to do that.  But 
> still a lot worse now than 2 years ago.
TLS is not end to end. It is well adjusted to the content provider side 
which could choose where to terminate TLS and can throw in any number of 
third parties which even gets delivered the original URL through the 
referer header. Servers can impersonate any number of identities and get 
hints how to cheat (SNI). The user on the other side has no choice, she 
doesn't get notified about the third parties and can't deploy any 
infrastructure to protect her.
> Not to mention the concerns around moving en masse to TLS and what 
> that will do for the security of TLS itself.  I'm not sure it's ready 
> for the load.  CA compromises will affect a lot more sites. They do 
> happen and will continue to do so, especially as the bounty goes up by 
> a few orders of magnitude.  A lot of eggs going into not many (CA) 
> baskets.
Giving the Internet to a small number of CAs seems also to be risky. If 
they don't like your opinion they can just revoke your certificate. 
Currently you can just get a different certificate from somebody else 
but for example with key pinning this may become more difficult.

Encryption costs energy. I heard different numbers and the numbers seem 
to go down over the years but fighting against global warming seems not 
to be an IETF goal.

In my opinion the discussion about using http2 and TLS should be 
separate and luckily http2 has both cleartext and TLS.